flask: create unified "flask=" boot parameter
This unifies the flask_enforcing and flask_enabled boot parameters into
a single parameter with additional states. Defined options are:
enforcing - require policy to be loaded at boot time and enforce it
permissive - a missing or broken policy does not panic
disabled - revert to dummy (no XSM) policy. Was flask_enabled=0
late - bootloader policy is not used; later loadpolicy is enforcing
The default mode remains "permissive" and the flask_enforcing boot
parameter is retained for compatibility. If flask_enforcing=1 is
specified and flask= is not, the bootloader policy will be loaded in
enforcing mode if present, but errors will disable access controls until
a successful loadpolicy instead of causing a panic at boot.
Suggested-by: Julien Grall <julien.grall@linaro.org>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
projects / xen.git / commit